Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md (E:/knowledge-base root and localhost API) and the code all point to a local KB integration; this is coherent. However the runtime code depends on an external local module scripts/openclaw_integration (imported via sys.path modification) which is not bundled or documented in SKILL.md. The hard-coded Windows path (E:/knowledge-base) is also a platform assumption.
Instruction Scope
SKILL.md instructs use of a local API and KB path and does not disclose that the skill's Python file will import and execute a local module. That imported module (handle_request) is responsible for network/file operations and is absent from the package—its behavior is unknown and could access arbitrary local files or external endpoints.
Install Mechanism
No install spec and no external downloads; the skill is instruction+code only, so nothing extra is pulled from the network by the skill bundle itself.
Credentials
The skill declares no required environment variables or credentials, which is proportionate to a local KB integration. Note: it relies on local filesystem paths and a localhost API endpoint, which are reasonable but sensitive resources.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges and does not modify other skills. The main risk is that it will import/execute code from a local scripts directory which may persist or behave beyond the skill's apparent scope.
What to consider before installing
This skill appears to implement a local knowledge‑base frontend, which is reasonable. Before installing or enabling it, check the following: 1) The skill's openclaw_skill.py imports handle_request from scripts/openclaw_integration that is not included—find and review that module's source (E:/knowledge-base/scripts/openclaw_integration.py) to ensure it does not execute unwanted actions or exfiltrate data. 2) Confirm you trust the local API at http://127.0.0.1:8001 and the configured KB root (E:/knowledge-base); those endpoints/files could be read or written by the skill. 3) Because the skill executes local Python code, consider running it in an isolated environment (VM/container) or obtaining the complete source from a trusted origin. If you cannot inspect the missing module or verify the local service, treat the skill as potentially unsafe.Like a lobster shell, security has layers — review code before you run it.
latestvk97azgsc2ma4fghg6f84k7tat981jp49
License
MIT-0
Free to use, modify, and redistribute. No attribution required.